SHA2017 Junior CTF - In Your Head
Sometimes you have just to listen to your head.
Show Solution …
This challenge presents a webpage that only has a single line of text:
Read my Head and find the flag
There is nothing else to be seen in the HTML source code. The clue that they provide us to “read my Head”, and this refers to the header information included with HTTP requests/responses. When you request a webpage, a variety of header information is sent along with that request. Likewise, when the web server sends you the information you requested (the webpage), there is header information that does not appear on the page itself.
This will make more sense when you see it, so let’s use a tool to view the header information. Depending on what browser you use, the developer console may contain this information. You can open this by hitting F12. If you are running Chrome, you can click on the Network tab, refresh the page, select it on the left-hand file listing, and select the “Headers” tab as shown:
If you are on Firefox, the steps are very similar and is actually fewer clicks. Alternatively, Firefox has a great addon that you can install called Live HTTP Headers that will capture and present this information to you as well. Install, run from the Tools menu (hit Alt), and refresh the page to capture it.
The flag for this challenge is
Review & Lessons Learned
Don’t forget that there is a decent amount of intel that can be gained by looking at the HTTP headers that come back from the web server. If you’re working on a web challenge and run out of ideas, it’s worth taking the minute to look and see if there is anything valuable here. Since it’s a very quick check, I recommend that it be one of the first things you look at after examining the page itself.